diff options
author | Christian Pointner <equinox@spreadspace.org> | 2022-06-15 19:35:36 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2022-06-15 19:35:36 +0200 |
commit | 8e5c279f7cecf29589835e74602155b9afc430d8 (patch) | |
tree | c55e219fa44c220a29a4ef55ddc10c5f37456675 /inventory/host_vars | |
parent | update apt-repo gpg key for tor-project (diff) |
add simple handling for nftable rulesets in base role
Diffstat (limited to 'inventory/host_vars')
-rw-r--r-- | inventory/host_vars/ch-gw-lan.yml | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/inventory/host_vars/ch-gw-lan.yml b/inventory/host_vars/ch-gw-lan.yml index 4637f04e..2aa27ab0 100644 --- a/inventory/host_vars/ch-gw-lan.yml +++ b/inventory/host_vars/ch-gw-lan.yml @@ -47,3 +47,26 @@ dhcp_server_interfaces: limit: "{{ network_zones.lan.dhcp.limit }}" domain: "{{ host_domain }}" dns: "{{ network_zones.lan.dns }}" + + +nftables_base_rules: + public-services: | + define nic_lan = lan0 + define public_ipv4 = {{ network_zones.magenta.prefix | ipaddr(network_zones.magenta.offsets['ch-router']) | ipaddr('address') }} + + table ip nat { + chain public-services-prerouting { + type nat hook prerouting priority -100; policy accept; + iif $nic_lan ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router" + {% for name, svc in network_services.items() %} + iif $nic_lan ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}" + {% endfor %} + } + chain public-services-output { + type nat hook output priority -100; policy accept; + ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router" + {% for name, svc in network_services.items() %} + ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}" + {% endfor %} + } + } |